Latest Equifax Bungle: Predictable Credit Freeze PINs

If the pressure wasn't high enough already on Equifax after it exposed personal details for tens of millions of consumers, keen observers have noticed another security-related bungle: It appears that a 10-digit PIN used by consumers to lock and unlock their credit reports is easily predictable, which would undermine a key defense against potential identity theft schemes.

Even worse: Equifax charges some consumers - depending on the state in which they live - between $5 and $10 to replace the insecure PIN, and applications to change the PIN can only be made by postal mail.

"I contacted Equifax, which appears to realize there's a problem, but doesn't quite grasp the full impact."

Once fraudsters steal a consumer's personal information, there's no way to stop them from using it to try to open new accounts or lines of credit. But one way to stop those types of attempts from succeeding is by "freezing" your credit report, which means no entity can access it without your approval.

Once credit reports get frozen, banks cannot obtain access to them either. In theory, this means a new account cannot be opened, without the legitimate consumer's authorization.

Sometimes credit report freezes get offered for free. But Equifax and other credit agencies usually charge a fee.

Call to Freeze

Many security experts have been recommending freezing credit reports as an identity theft defensive maneuver to anyone who has been affected by the Equifax breach - more than half of the U.S. adult population.

The breach, discovered July 29 but only announced by Equifax last week, exposed names, addresses, birthdates, Social Security numbers and in some cases, driver's license numbers, for 143 million people. It also exposed credit card numbers of 209,000 people and credit dispute-related documents relating to 182,000 consumers (see Equifax: Breach Exposed Data of 143 Million Consumers).

Consumers who request a credit freeze with Equifax get a 10-digit PIN. That PIN can then be used to temporarily unfreeze a report when someone legitimately applies for credit.

Predictable PIN Problem

Since the breach, many have lodged freezes with Equifax. And over the weekend, some observers noted that the PINs - which should, in theory, be difficult-to-predict, random numbers - in fact aren't random at all.

The PIN is merely based on the date and time - down to the minute - when someone initiates a freeze, writes Tony Webster, who describes himself as a web engineer and public records researcher, on Twitter.

The potential danger posted by Equifax's PIN-generating pattern should be obvious: Any fraudster who already has a person's personal information can potentially brute-force the credit-freeze PIN, unlocking someone's credit record and then proceeding with whatever misdeeds they may have planned, with unchecked abandon.

Don't Bet on These Odds

For those with a mathematical bent, Mark Stockley, founder of the web consultancy Compound Eye and a writer for Sophos's Naked Security blog, calculated the statistical challenge facing any attacker who wanted to brute-force unlock a frozen Equifax credit report.

"At the time of writing, the breach announcement happened about three days ago - and there are fewer than 5,000 minutes in three days," Stockley writes. "If you froze your credit files since the announcement, the odds of guessing your PIN correctly aren't one in ten billion, they're better than one in 5,000."

Stockley, however, has identified a further risk relating to how Equifax generates PINs. Because Equifax's web servers will be recording timestamps of people's activity on the site, there's probably a timestamp within Equifax's logs that matches the PIN. It's effectively an improperly secured copy of the PIN, he writes.

Equifax Promises Changes

But wait, there's more. I contacted Equifax, which appears to realize there's a problem, but doesn't quite grasp the full impact. On a positive note, Wyatt Jefferies, Equifax's senior director of public relations, told me via email that the company plans to change the way PINs are generated within the next day or so.

"While we have confidence in the current PIN system, we understand and appreciate that consumers have questions about how PINs are currently generated," he writes.

Equifax tells me it plans to institute a new system that will generate random PIN codes.

Jefferies writes that consumers have been able to request a change of their PIN, which is then sent by postal mail to their address. But it doesn't appear, despite related security warnings over non-random PINs, that Equifax is going to reset all of the previous PINs that have been generated based on dates and times.

Webster, who first publicized Experian's PIN problem, worries that having to correspond by mail with Equifax will serve as a disincentive for all of the consumers now at risk due to Equifax's non-random PINs.

Simply put, he says, Equifax's response is not good enough, and the data broker needs to be offering replacement PINs via an online service . "When a consumer can request a PIN online, they should be able to set and reset that PIN online," he tells me.

PIN Change? That'll be $10

I did some further digging into Equifax's freeze PINs and found a document on Equifax's website that describes the fee structure for resetting PINs. That's right: Equifax has even monetized a security control.

The fee varies by state, but Equifax charges most people about $5 to $10 to get a new PIN. The fee is waived in some places for varying conditions, such as if someome has been a victim of identity theft or is on active duty for the military.

Equifax often charges consumers a fee, including if they need to replace the insecure credit-freeze PIN previously generated by the data broker.

Big data brokers like Equifax - and let's not leave out Experian and TransUnion - collect people's personal financial data without their consent. These aren't opt-in services like Google or Facebook, where you willingly divulge personal information for the trade-off of a free service.

Credit monitoring companies literally give nothing back to consumers. The least that could be done - and perhaps this is something for regulators to insist upon - is to prohibit them from charging consumers to protect their data using essential security controls made even more essential by the likes of the Equifax breach.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.